Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help in Summary Indexing

theouhuios
Motivator
‎01-07-2013 01:21 PM

Hello

I am using a summary indexing to get a chart but it doesn't look like its helping much. I need to have a chart of counts of incidents in last 31days and the search I had before was probably not helping much as I did it on time.

It doesn't help much as there will be incidents on different time. Would it help if I summarize it for one day and run at midnight to collect the results of the previous day and just use that?

Any ideas?

Tags (1)
0 Karma
Reply

Drainy
Champion
‎01-08-2013 12:19 AM

To offer an alternative to the right Honourable MarioM 🙂

Just run it after midnight for the previous day, every day.
To create your first set of data just run the backfill script to populate your index with the last X days of data and from then on it will update each night. Usually I run SI searches for the previous day at around 1am just so I'm happy all events have arrived and because its a nice round number 🙂

E.G. Each night run this for the previous day;

sourcetype=xxx earliest=-1d@d latest=-0d@d | dedup record.incidentId|sistats count by record.priority record.groupArea record.assignmentGroup record.groupDepartment record.affectedCI

Backfill with;

./splunk cmd python fill_summary_index.py -app APPNAME -name "SAVEDSEARCHNAME" -et EARLIESTTIMEMODIFIER -lt LATESTTIMEMODIFER -j 2 -owner SEARCHOWNER

It will prompt for user details when run and the timemodifers are the usual splunk ones, to backfill for a month you can use -et -1mon@mon -lt -0d@d <-- I say one day as your new scheduled search will pick up the current days events when it executes.

The -j flag sets how many concurrent searches it runs, I have put 2 but you can increase this if you have the spec and its not a busy box.

Reply

Drainy
Champion
‎01-08-2013 10:10 AM

How will it kill the box? this is how you do summary indexing 🙂 If you are talking about the backfill then you don't have to backfill at all, if you did want to you could set it to one search and leave it overnight

0 Karma
Reply

theouhuios
Motivator
‎01-08-2013 07:07 AM

I did think of doing this, but it will kill the box with the cpu usage 🙂

0 Karma
Reply

MarioM
Motivator
‎01-07-2013 10:13 PM

what you could try is to use bucket :

sourcetype=xxx| dedup record.incidentId | bucket _time span=1d |sistats count by _time record.priority record.groupArea record.assignmentGroup record.groupDepartment record.affectedCI
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...